Enterprise administrators use access control systems to grant data users the capability to access resources. Access to resources includes the ability to read files in specific directories or in certain systems, the ability to read and write the files, and the ability to read, write, and delete the files. Role-based access control systems grant access to resources based on assigned user roles. For example, an administrator uses a role-based access control system to assign one user role (e.g., billing user) out of many user roles to a user. The assigned user role enables the user to access and modify a variety of billing records. By assigning one of many user roles to the user, the administrator does not have to evaluate individual access to each of numerous billing records when granting access to each user. However, existing role-based systems allow any administrator to assign any user role to any user. For example, any administrator can assign a billing user role to a user who works in a sales department even though the sales administrator who supervises the user does not want the user to be able to access and modify billing records.
In contrast to role-based access control systems, discretionary access control systems enable an administrator who has exclusive responsibility for a resource to be the only administrator who can grant users access to that resource. For example, a billing website administrator may be the only administrator that can grant access to the billing website to any user. However, discretionary access control systems still present certain problems. For example, the discretionary access control system enables the billing website administrator to grant access to the billing website to a user who works in a sales department even though the sales administrator who supervises the user does not want the user to be able to access the billing website.
The above-described access control systems may not satisfy the needs of an organization that needs to enforce responsibility for ensuring that security procedures are followed.